CVE-2026-57658
Deferred Deferred - Pending Action

Administrator Arbitrary File Upload in TemplateSpare

Vulnerability report for CVE-2026-57658, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description

Administrator Arbitrary File Upload in TemplateSpare <= 4.2.0 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
patchstack templatespare to 4.2.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WordPress TemplateSpare Plugin, versions 4.2.0 and below, contains an Arbitrary File Upload vulnerability. This flaw allows attackers with administrator or developer privileges to upload malicious files, such as backdoors, to a website.

Although Patchstack classifies the impact as low severity, the vulnerability has a high CVSS score of 9.1, indicating a significant risk. The issue is related to injection attacks and is listed under OWASP Top 10 A3: Injection.

The vulnerability was discovered by Ananda Dhakal of Patchstack and publicly disclosed on June 26, 2026. It is patched in version 4.2.1 of the plugin.

Impact Analysis

This vulnerability can allow an attacker with administrator or developer access to upload malicious files to your website. Such files could include backdoors, which enable unauthorized remote access and control over the site.

Exploitation of this vulnerability can lead to severe consequences including full site compromise, data theft, defacement, or use of the site as a platform for further attacks.

Because the vulnerability has a high CVSS score of 9.1, it represents a critical security risk that should be addressed immediately by updating the plugin or seeking assistance from hosting providers or web developers.

Compliance Impact

The vulnerability allows an attacker with administrator privileges to upload arbitrary malicious files, such as backdoors, to a website. This can lead to unauthorized access, data breaches, and potential compromise of sensitive information.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Therefore, if exploited, this vulnerability could lead to violations of these regulations due to compromised data confidentiality, integrity, and availability.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WordPress TemplateSpare Plugin to version 4.2.1 or later, where the arbitrary file upload issue is patched.

If updating is not possible immediately, it is recommended to seek assistance from a hosting provider or a web developer to help mitigate the risk.

Additionally, Patchstack users can enable auto-updates for vulnerable plugins to automatically apply patches and reduce exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57658. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart